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Abstract. A characterization of predicate encryption (PE) with support for homomorphic operations 
is presented and we describe the homomorphic properties of some existing PE constructions. Even for 
the special case of IBE, there are few known group-homomorphic cryptosystems. Our main construction 
is an XOR-homomorphic IBE scheme based on the quadratic residuosity problem (variant of the Cocks' 
scheme), which we show to be strongly homomorphic. We were unable to construct an anonymous 
variant that preserves this homomorphic property, but we achieved anonymity for a weaker notion 
of homomorphic encryption, which we call non-universal. A related security notion for this weaker 
primitive is formalized. Finally, some potential applications and open problems are considered. 

1 Introduction 

There has been much interest recently in encryption schemes with homomorphic capabilities. Traditionally, 
malleability was avoided to satisfy strong security definitions, but many applications have been identified 
for cryptosystems supporting homomorphic operations. More recently. Gentry T presented the first fully- 
homomorphic encryption (FHE) scheme, and several improvements and variants have since appeared in the 
literature |;2"5, . There are however many applications that only require a scheme to support a single homo- 
morphic operation. Such schemes are referred to as partial homomorphic. Notable examples of unbounded 
homomorphic cryptosystems include Goldwasser-Micali [6, (XOR), Paillier [7: and ElGamal [5]. 

Predicate Encryption (PE) 9 enables a sender to embed a hidden descriptor within a ciphertext that 
consists of attributes describing the message content. A Trusted Authority (TA) who manages the system 
issues secret keys to users corresponding to predicates. A user can decrypt a ciphertext containing a descriptor 
a if and only if he/she has a secret key for a predicate that evaluates to true for a. This construct turns 
out to be quite powerful, and generalizes many encryption primitives. It facilitates expressive fine-grained 
access control i.e. complex policies can be defined restricting the recipients who can decrypt a message. It 
also facilitates the evaluation of complex queries on data such as range, subset and search queries. Extending 
the class of supported predicates for known schemes is a topic of active research at present. 

PE can be viewed in two ways. It can be viewed as a means to delegate computation to a third party 
i.e. allow the third party to perform a precise fixed function on the encrypted data, and thus limit what 
the third party learns about the data. In the spirit of this viewpoint, a generalization known as Functional 
Encryption has been proposed [10[ . which allows general functions to be evaluated. 

PE can also be viewed as a means to achieve more fine-grained access control. It enables a stronger 
separation between sender and recipient since the former must only describe the content of the message or 
more general conditions on its access while decryption then depends on whether a recipient's access policy 
matches these conditions. 

Why consider homomorphic encryption in the PE setting? It is conceivable that in a multi-user envi- 
ronment such as a large organization, certain computations may be delegated to the cloud whose inputs 
depend on the work of multiple users distributed within that organization. Depending on the application, 
the circuit to be computed may be chosen or adapted by the cloud provider, and thus is not fixed by the 
delegator as in primitives such as non-interactive verifiable computing [11]. Furthermore, the computation 
may depend on data sets provided by multiple independent users. Since the data is potentially sensitive, the 
organization's security policy may dictate that all data must be encrypted. Accordingly, each user encrypts 
her data with a PE scheme using relevant attributes to describe it. She then sends the ciphertext (s) to the 
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cloud. It is desirable that the results of the computation returned from the cloud be decryptable only by an 
entity whose access policy (predicate) satisfies the attributes of all data sets used in the computation. Of 
course a public-key homomorphic scheme together with a PE scheme would be sufficient if the senders were 
able to interact before contacting the cloud, but we would like to remove this requirement since the senders 
may not be aware of each other. This brings to mind the recent notion of multikey homomorphic encryption 
presented by Lopez- Alt, Tromer and Vaikuntanathan [12j . 

Using a multikey homomorphic scheme, the senders need not interact with each other before evaluation 
takes place on the cloud. Instead, they must run an MPC decryption protocol to jointly decrypt the result 
produced by the cloud. The evaluated ciphertexts in the scheme described in [12 do not depend on the circuit 
size, and depend only polynomially on the security parameter and the number of parties who contribute 
inputs to the circuit. Therefore, the problem outlined above may be solved with a multikey fully homomorphic 
scheme used in conjunction with a PE scheme if we accept the evaluated ciphertext size to be polynomial 
in the number of parties. In this work, we are concerned with a ciphertext size that is independent of the 
number of parties. Naturally, this limits the composition of access policies, but if this is acceptable in an 
application, there may be efficiency gains over the combination of multikey FHE and PE. 

In summary, homomorphic encryption in the PE setting is desirable if there is the possibility of multiple 
parties in a large organization (say) sending encrypted data to a semi-trusted evaluator and access poli- 
cies are required to appropriately limit access to the results, where the "composition" of access policies is 
"lossy" . We assume the semi-honest model in this paper; in particular we do not consider verifiability of the 
computation. 

The state of affairs for homomorphic encryption even for the simplest special case of PE, namely identity- 
based encryption (IBE), leaves open many challenges. At his talk at Crypto 2010, Naccache [13] mentioned 
"identity-based fully homomorphic encryption" as one of a list of theory questions. Towards this goal, it has 
been pointed out in |14j that some LWE-based FHE constructions can be modified to obtain a weak form of an 
identity-based FHE scheme using the trapdoor functions from [121; ^ti^^ additional information is needed 
(beyond what can be non-interactively derived from a user's identity) in order to evaluate certain circuits 
and to perform bootstrapping. Therefore, the valued non-interactivity property of IBE is lost whereby no 
communication between encryptors and the TA is needed. To the best of our knowledge, fully-homomorphic 
or even "somewhat-homomorphic" IBE remains open, and a variant of the BGN-type scheme of Gentry, 
Halevi and Vaikuntanathan [16] is the only IBE scheme that can compactly evaluate quadratic formulae 
(supports 2-DNF). 

As far as the authors are aware, there are no (Zjv, -I-) (like Paillier) or (Z*, *) (like ElGamal) homomorphic 
IBE schemes. Many pairings-based IBE constructions admit multiplicative homomorphisms which give us 
a limited additive homomorphism for small ranges; that is, a discrete logarithm problem must be solved to 
recover the plaintext, and the complexity thereof is 0(\/M), where M is the size of the message space. Of a 
similar variety are public-key schemes such as BGN [17^ and Benaloh [18]. It remains open to construct an 
unbounded additively homomorphic IBE scheme for a "large" range such as Paillier [7]. Possibly a fruitful 
step in this direction would be to look at Galbraith's variant of Paillier's cryptosystem based on elliptic 
curves over rings 19 . 

One of the contributions of this paper is to construct an additively homomorphic IBE scheme for Z2, 
which is usually referred to as XOR-homomorphic. XOR-homomorphic schemes such as Goldwasser-Micali [6] 
have been used in many practical applications including sealed-bid auctions, biometric authentication and 
as the building blocks of protocols such as private information retrieval, and it seems that an IBE XOR- 
homomorphic scheme may be useful in some of these scenarios. An overview of these applications is presented 
in Section [7| 

We faced barriers however trying to make our XOR-homomorphic scheme anonymous. The main obstacle 
is that the homomorphism depends on the public key. We pose as an open problem the task of constructing 
a variant that achieves anonymity and retains the homomorphic property. Inheriting the terminology of 
GoUe et al. [20] (who refer to re-encryption without the public key as universal re-encryption), we designate 
homomorphic evaluation in a scheme that does not require knowledge of the public key as universal. We 
introduce a weaker primitive that explicitly requires additional information to be passed to the homomorphic 
evaluation algorithm. Our construction can be made anonymous and retain its homomorphic property in this 
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context; that is, if the attribute (identity in the case of IBE) is known to an evaluator. While this certainly 
is not ideal, it may be plausible in some scenarios that an evaluator is allowed to be privy to the attribute(s) 
encrypted by the ciphertexts, and it is other parties in the system to whom the attribute(s) must remain 
concealed. An adversary sees incoming and outgoing ciphertexts, and can potentially request evaluations 
on arbitrary ciphertexts. We call such a variant non-universal. We propose a syntax for a non-universal 
honiomorphic primitive and formulate a security notion to capture attribute-privacy in this context. 

1.1 Related Work 

There have been several endeavors to characterize homomorphic encryption schemes. Gj0steen [21| succeeded 
in characterizing many well-known group homomorphic cryptosystems by means of an abstract construc- 
tion whose security rests on the hardness of a subgroup membership problem. More recently, Armknecht, 
Katzenbeisser and Peter [22] gave a more complete characterization and generalized Gj0steen's results to the 
IND-CCAl setting. However, in this work, our focus is at a higher level and not concerned with the under- 
lying algebraic structures. In particular, we do not require the homomorphisms to be unbounded since our 
aim to provide a more general characterization for homomorphic encryption in the PE setting. Compactness, 
however, is required; that is, informally, the length of an evaluated ciphertext should be independent of the 
size of the computation. 

The notion of receiver-anonymity or key-privacy was formally established by Bellare et al. |23| . and the 
concept of universal anonymity (any user can anonymize a ciphertext) was proposed in [24^ The first univer- 
sally anonymous IBE scheme appeared in |25| . Prabhakaran and Rosulek (26) consider receiver- anonymity 
for their definitions of homomorphic encryption. 

Finally, since Cocks' IBE scheme I57| appeared, variants have been proposed ( P5| and f5F) that achieve 
anonymity and improve space efficiency. However, the possibility of constructing a homomorphic variant has 
not received attention to date. 

1.2 Organization 

Notation and background definitions are set out in Section[21 Our characterization of homomorphic predicate 
encryption is specified in Section [3] the syntax, correctness conditions and security notions are established, 
and the properties of such schemes are analyzed. In Section |4l some instantiations are given based on 
inner-product PE constructions. Our main construction, XOR- homomorphic IBE, is presented in Section [5l 
Non-universal homomorphic encryption and the abstraction of universal anonymizers is presented in Section 
ini towards realizing anonymity for our construction in a weaker setting. Applications are described in Section 
[7] followed by conclusions and future work in Section [51 

2 Preliminaries 

A quantity is said to be negligible with respect to some parameter A, written negl(A), if it is asymptotically 

bounded from above by the reciprocal of all polynomials in A. 

$ 

For a probability distribution D, we denote by a; D that x is sampled according to 13. If S" is a set, 

$ 

y S" denotes that y is sampled from x according to the uniform distribution on S. 

The support of a predicate f : A ^ {0,1} for some domain A is denoted by supp(/), and is defined by 
the set {a e A: f{a) = 1}. 

Definition 1. Let U = {ui}^^i be a set of n entities subject to authorization in a system. An access structure 
n C ViU) \ {0} is defined as a collection of subsets in U . The access structure is monotone if it is closed 
under superset; thus, VT C t/, VS" G 77 SUT e n. 

Definition 2 (Homomorphic Encryption). A homomorphic encryption scheme with message space M 
supporting a class of £-input circuits C C AI^ — > M is a tuple of PPT algorithms (Gen, Enc, Dec, Eval) 
satisfying the property: 

V(pk,sk) ^ Gen(l^), VC e C, Vmi, . . . , m^; e M 



Vci, . . . , Q Enc(pk, mi), . . . , Enc(pk, mi) 



C(mi, . . . , mg) — Dec(sk, Eval(pk, C,Ci, . . . , ce)) 



The following definition is based on [29], 

Definition 3 (Strongly Homomorphic) . Let £ be a homomorphic encryption scheme with message space 
M and class of supported circuits C C {M^ — > M}. £ is said to be strongly homomorphic iff VC G 
C, V(pk, sk) Gen, Vtoi, . . . , m^, Vci, . . . , q ^ Enc(pk, mi), . . . , Enc(pk, m^); 



Definition 4 (Predicate Encryption (Adapted from [9j Definition 1)). A predicate encryption (PE) 
scheme for the class of predicates J- over the set of attributes A and with message space M consists of Jour 
algorithms Setup, GenKey, Encrypt, Decrypt such that: 

— PE. Setup takes as input the security parameter \^ and outputs public parameters PP and master secret 
key MSK. 

— PE. GenKey takes as input the master secret key MSK and a description of a predicate f G J-. It outputs 
a key SKf. 

— PE. Encrypt takes as input the public parameters PP, a message m G M and an attribute a Cz A. It returns 
a ciphertext c. We write this as c ^ Encrypt(PP, a, m). 

— PE. Decrypt takes as input a secret key SKj for a predicate f and a ciphertext c. It outputs m iff f{a) ~ 1. 
Otherwise it outputs a distinguished symbol _L with all but negligible probability. 

Let us define J-a — {f ^ J' ■ f{o.) ~ !}• Moreover, define a family of access structures {TTq : a E A} where 
Ila = {T C ; T n J-'a 7^ 0}. A subset §„ of J- models the functions for which a user u has a secret key. 
Therefore, u is authorized to decrypt a ciphertext with attribute a if and only if Sj G Ila- Furthermore, let 
A„ denote the set of attributes "decryptable" by u; that is, the set {a G ^ : G Ila}. Given a decryptable 
ciphertext, \Au\ is indicative of the extent of attribute privacy (equivocation). 

Remark 1. Predicate Encryption (PE) is known by various terms in the literature. PE stems from Attribute- 
Based Encryption (ABE) with Key Policy, or simply KP-ABE, and differs from it in its support for attribute 
privacy. As a result, "ordinary" KP-ABE is sometimes known as PE with public index. Another variant of 
ABE is CP- ABE (ciphertext policy) where the encryptor embeds her access policy in the ciphertext and a 
recipient must possess sufficient attributes in order to decrypt. This is the reverse of KP-ABE. In this paper, 
the emphasis is placed on PE with its more standard interpretation, namely KP-ABE with attribute privacy. 
Our results hold analogously for CP- ABE. 

3 Homomorphic Predicate Encryption 
3.1 Syntax 

Let M be as message space and let A be a set of attributes. Consider a set of operations Fm Q {M^ M} 
on the message space, and a set of operations Fa C {A^ — > A} on the attribute space. Jointly, define the set 
of permissible "gates" F C {7^ x 7m : 7a G Fa, 7m G Fm} C {(A x M)^ — >• (A x Af)}[l|. Thus, each operation 
on the plaintexts is associated with a single (potentially distinct) operation on the attributes. Finally, we 
can specify a class of permissible circuits C built from F. 

Definition 5. A homomorphic predicate encryption (HPE) scheme for the non-empty class of predicates J- , 
message space M, attribute space A, and class of i-input circuits C consists of a tuple of five PPT algorithms 
Setup, GenKey, Encrypt, Decrypt and Evaluate, such that: 

^It is assumed that Fa and Fm are minimal insofar as V7A G Fa^Jm G Fm s.t. 7a x j^i G 7^ and the converse 
also holds. In particular, we later assume this of Fa. 



(Enc(pk, C(mi, . . . ,to^),ci, 
(Eval(pk, C, ci,...,ci),ci, 




— HPE. Setup, HPE.GenKey, HPE. Encrypt and HPE. Decrypt are as specified in Definition^ 

— HPE.Evaluate(PP, C, ci, . . . , Cf) takes as input the public parameters PP, an £-input circuit C G C, and 
ciphertexts c\ -s— HPE.Encrypt(PP, ai, mi), . . . , 

ci HPE.Encrypt(PP, , m^). 

It outputs a ciphertext that encrypts the attribute-message pair C((ai,rni), . . . , {ai,mi)). 

Accordingly, the correctness criteria are defined as follows: 
Correctness conditions: 

For any (PP, MSK) ^ HPE.Setup(l^), f £ T, SKf ^ HPE.GenKey(PP, MSK, /), C G C: 

1. For any a e A,m e M,c ^ HPE.Encrypt(PP, m, a): 

HPE.Decrypt(SK/,c) = m <^ /(a) = 1 

2. Vmi, . . . ,me £ M, Voi, . . . ,a£ £ A, Vci, . . . , q -s— HPE.Encrypt(PP, ai, mi), . . . , HPE.Encrypt(PP, a^, mg) : 

Vc' ^ HPE.Evaluate(PP,C,ci,...,Q) 

(a) 

HPE.Decrypt(SK/,c') = m' /(a') = 1 

where (m', a') = C((ai, mi), . . . , (a^ , mi)) 

(b) 

|c'|<i(A) 

where L{\) is a fixed polynomial derivable from PP. 
Some example cases are captured as follows: 

— Non-homomorphic: C = 

— Predicate- Only: A special case of PE that excludes plaintexts ("pay loads") has been called a "predicate 
only" scheme in the literature [9]. 

Modelled by M = {0} for a distinguished symbol 0, and F = {idM x ■ & -Ci} where idjvi is the 
identity operation on M. 

3.2 Security Notions 

The security notions we consider carry over from the standard notions for PE. The basic requirement is 
IND-CPA security, which is referred to as "payload-hiding" . A stronger notion is "attribute-hiding" that 
additionally entails indistinguishability of attributes. The definitions are game-based with non-adaptive and 
adaptive variants. The former prescribes that the adversary choose its target attributes at the beginning of 
the game before seeing the public parameters, whereas the latter allows the adversary's choice to be informed 
by the public parameters and secret key queries. 

Definition 6. A (H)PE scheme £ is said to be (fully) attribute-hiding (based Definition 2 in 191) if an 
adversary A has negligible advantage in the following game: 

1. In the non-adaptive variant, A outputs two attributes oq and ai at the beginning of the game. 

2. The challenger C runs Setup(l^) and outputs (PP, MSK) 

3. Phase 1 

A makes adaptive queries for the secret keys for predicates fi, ■ ■ ■ , fk ^ J' subject to the constraint that 
ft{ao) = fi{ai) for 1 <i < k. 
4- Remark 2. In the stronger adaptive variant, A only chooses attributes ao and ai at this stage. 

5. A outputs two messages mp and mi of equal length. It must hold that mo = mi if there is an i such that 

fi{ao) = fi{ai) = 1. 

6. C chooses a random bit b, and outputs c Encrypt(PP, a;,, m?,) 

7. Phase 2 

A second phase is run where A requests secret keys for other predicates subject to the same constraint as 
above. 

8. Finally, A outputs a guess b' and is said to win if b' — b. 

A weaker property referred to as weakly attribute-hiding 9^ requires that the adversary only request keys 
for predicates / obeying /(ao) — /(oi) — 0. 

We propose another model of security for non- universal homomorphic encryption in Section [51 



3.3 Attribute Operations 

We now characterize HPE schemes based on the properties of their attribute operations (elements of Fa)- 
Definition 7 (Properties of attribute operations). V/ G J^, Vai,a2 G A, G Fa-' 

1. 

/(7A(ai,a2))^/(ai)A/(a2) (3.1) 
(Necessary condition for IND-CPA security) 

2. 

f{jA{a,,ai))^f{ai) (3.2) 

3. yd e A: 

/(ai) = /(aa) f{"/A{d,ai)) = /(7A(d,a2)) 
A /(7A(ai,d)) = /(7A(a2,d)) 

(3.3) 

(Non- monotone Indistinguishability) 

4- 

/(7A(ai,a2))-/(ai)A/(a2) (3.4) 

(Monotone Access) 

Property 13.11 is a minimal precondition for payload-hiding i.e. IND-CPA security under both adaptive 
and non-adaptive security definitions. 

Property 13.21 preserves access under a homomorphic operation on ciphertexts with the same attribute. 
Property 13.31 is a necessary condition for full attribute- hiding. 

Property enables monotone access; a user only learns a function of a plaintext if and only if that user 
has permission to learn the value of that plaintext. This implies that {A, ja) cannot be a group unless T is 
a class of constant predicates. In general. 13.41 implies that J- is monotonic. Monotone access is equivalent to 
the preceding three properties collectively; that is 

Non-Monotone Access Non-monotone access is trickier to define and to suitably accommodate in a secu- 
rity definition. It can arise from policies that involve negation. As an example, suppose that it is permissible 
for a party to decrypt data sets designated as either "geology" or "aviation" , but is not authorized to decrypt 
results with both designations that arise from homomorphic computations on both data sets. Of course it 
is then necessary to strengthen the restrictions on the adversary's choice of oq and oi in the security game. 
Let oo and ai be the attributes chosen by the adversary. Intuitively, the goal is to show that any sequence 
of transitions that leads qq to a an element outside the support of /, also leads ai to an element outside the 
support of /, and vice versa. Instead of explicitly imposing this non-triviality constraint on the adversary's 
choice of attributes, one may seek to show that there is no pair of attributes distinguishable under any ja and 
f (z J-. This is captured by the property of non- monotone indistinguishability p.3|) . Trivially, the constant 
operations satisfy 13.31 Of more interest is an operation that limits homomorphic operations to ciphertexts 
with the same attribute. This captures our usual requirements for the (anonymous) IBE functionality, but 
it is also satisfactory for many applications of general PE where computation need only be performed on 
ciphertexts with matching attributes. To accomplish this, the attribute space is augmented with a (logical) 
absorbing element z such that /(z) = V/ G J". The attribute operation is defined as follows: 

d{ai,a2) = < .J. , (3-5) 
[z it Oi Tt 02 



S models the inability to perform homomorphic evaluations on ciphertexts associated with unequal attributes 
(identities in the case of IBE). A scheme with this operation can only be fully attribute-hiding in a vacuous 
sense (it may be such that no restrictions are placed upon the adversary's choice of / but it is unable 
to find attributes ag and ai satisfying /(ao) = /(o-i) = 1 for any /.) This is the case for anonymous 
IBE where the predicates are equality relations, and for the constant map (01,02) 1— >■ z that models the 
absence of a homomorphic property, although this is preferably modeled by appropriately constraining the 
class of permissible circuits. More generally, such schemes can only be weakly attribute-hiding because their 
operations 7^ only satisfy a relaxation of 13.31 given as follows: 
Necessary condition for weakly attribute-hiding Vai,a2,(i G A: 



Remark 3. In the case of general schemes not satisfving |3.31 placing constraints on the adversary's choice of 
attributes weakens the security definition. Furthermore, it must be possible for the challenger to efficiently 
check whether a pair of attributes satisfies such a condition. Given the added complications, it is tempting 
to move to a simulation-based definition of security. However, this is precluded by the recent impossibility 
results of ^30j in the case of both weakly and fully attribute-hiding in the NA/AD-SIM models of security. 
However, for predicate encryption with public index (the attribute is not hidden), this has not been ruled 
out for 1- AD-SIM and many-NA-SIM where "1" and "many" refer to the number of ciphertexts seen by the 
adversary. See [5Uli31j for more details. In the context of non-monotone access, it thus seems more reasonable 
to focus on predicate encryption with public index. Our main focus in this work is on schemes that facilitate 
attribute privacy, and therefore we restrict our attention to schemes that at least satisfv IXBl 

Delegate Predicate Encryption A primitive presented in pJ21 called "Delegate Predicate Encryption" 
(DPE)I enables a user to generate an encryption key associated with a chosen attribute a G A, which does 
not reveal anything about a. The user can distribute this to certain parties who can then encrypt messages 
with attribute a obliviously. The realization in [32 is similar to the widely-used technique of publishing 
encryptions of "zero" in a homomorphic cryptosystem, which can then be treated as a key. In fact, this 
technique is adopted in [33 to transform a strongly homomorphic private-key scheme into a public-key one. 
Generalizing from the results of 32 , this corollary follows from the property of attribute- hiding 

Corollary 1. An attribute-hiding HPE scheme is a DPE as defined in '321 if there exists a j G F such that 
(A X M, 7) is unital. 

4 Constructions with Attribute Aggregation 

In this section, we give some meaningful examples of attribute homomorphisms (all which satisfy monotone 
access) for some known primitives. We begin with a special case of PE introduced by Boneh and Waters [33], 
which they call Hidden Vector Encryption. In this primitive, a ciphertext embeds a vector w € {0, 1}" where 
n is fixed in the public parameters. On the other hand, a secret key corresponds to a vector v € = {*, 0, 1}" 
where * is interpreted as a "wildcard" symbol or a "don't care" (it matches any symbol). A decryptor who 
has a secret key for some v can check whether it matches the attribute in a ciphertext. 
To formulate in terms of PE, let A = {0, 1}" and define 



Now it would be advantageous if we could perform some aggregation on ciphertexts i.e. nodes along a 
route could aggregate ciphertexts they receive into a single outbound ciphertext. 

*Not to be confused with the different notion of Delegatable Predicate Encryption. 



/(ai) = f{a2) = ^ /(7A(rf,ai)) = filAid.a^)) 
A /(7A(ai,d)) -/(7A(a2,d)) 



(3.6) 



n 




For a monotonic class of predicates T and an operation 7^ satisfying 13.41 it must be the case that 
predicates in T are single conjunctions (one minterm). Such a predicate can be viewed as a tree of attributes. 
Let 7^ : — )■ A be a binary operation on A. For any x, y g A, let z = 7^(x, y). Now for 13.41 to hold, 
we must have that /(z) — /(x) A /(y) for all / e J^. It follows that x.; = y^ z.; = x^. It is not possible 
for any operation to preserve 13.41 when V = {*,0, 1})" for positive n. Thus, it is necessary to restrict V. 
Accordingly, let V = {*, 1}" Setting the non-equal elements to yields associativity and commutativity. 
Such an operation is equivalent to component-wise logical AND on the attribute vectors, and we will denote 
it by A". (A, A") is a semilattice. 

Recall that a predicate-only scheme does not incorporate a payload into ciphertexts. Even such a scheme 
£ with the A" attribute homomorphism might find some purpose in real-world scenarios. One particular 
application of E is secure data aggregation in Wireless Sensor Networks (WSNs), an area which has been 
the target of considerable research (a good survey is [35]). It is conceivable that some aggregator nodes may 
be authorized by the sink (base station to which packets are forwarded) to read packets matching certain 
criteria. An origin sensor node produces an outgoing ciphertext as follows: (1). It encrypts the attributes 
describing its data using E . (2) It encrypts its sensor reading with the public key of the sink using a separate 
additively (say) homomorphic public-key cryptosystem. (3) Both ciphertexts are forwarded to the next hop. 

Since an aggregator node receives packets from multiple sources, it needs to have some knowledge about 
how to aggregate them. To this end, the sink can authorize it to apply a particular predicate to incoming 
ciphertexts to check for matching candidates for aggregation. One sample pohcy may be ["REGIONl" A 
"TEMPERATURE"']. It can then aggregate ciphertexts matching this policy. Additional aggregation can 
be performed by a node further along the route that has been perhaps issued a secret key for a predicate 
corresponding to the more permissive policy of ["TEMPERATURE"]. In the scenario above, it would be 
more ideal if £ were also additively homomorphic since besides obviating the need to use another PKE 
cryptosystem, more control is afforded to aggregators; they receive the ability to decrypt partial sums, and 
therefore, to perform (more involved) statistical computations on the data. 

It is possible to achieve the former case from some recent inner-product PE schemes that admit homomor- 
phisms on both attributes and payload. We focus on two prominent constructions with different mathematical 
structures. Firstly, a construction is examined by Katz, Sahai and Waters (KSW) [9], which relies on non- 
standard assumptions on bilinear groups, assumptions that are justified by the authors in the generic group 
model. Secondly, we focus on a construction presented by Agrawal, Freeman and Vaikuntanathan (AFV) [36] 
whose security is based on the learning with errors (LWE) problem. 



In both schemes, an attribute is an element of Z"J| and a predicate also corresponds to an element of 
Z^. For V G Z^, a predicate /v : ZJ^ {0; 1} is defined by 



Roughly speaking, in a ciphertext, all sub-attributes (in Z^) are blinded by the same uniformly random 
"blinding" element The decryption algorithm multiplies each component by the corresponding component 
in the predicate vector, and the blinding element b is eliminated when the inner product evaluates to zero 
with all but negligible probability, which allows decryption to proceed. 

Let Ci and C2 be ciphertexts that encrypt attributes ai and 02 respectively. It can be easily shown that 
the sum c' = C2 encrypts both ai and 02 in a somewhat "isolated" way. The lossiness is "hidden" 

by the negligible probability of two non-zero inner-products summing to 0. For linear aggregation, this can 
be repeated a polynomial number of times (or effectively unbounded in practice) while ensuring correctness 
with overwhelming probability. While linear aggregation is sufficient for the WSN scenario, it is interesting 
to explore other circuit forms. For the KSW scheme, we observe that all circuits of polynomial depth can be 
evaluated with overwhelming probability. For AFV, the picture is somewhat similar to the fully homomorphic 
schemes based on LWE such as [4,5 but without requiring multiplicative gates. 

^ In [9], m is a product of three large primes and n is the security parameter. In [36], n is independent of the 
security parameter and m may be polynomial or superpolynomial in the security parameter; in the latter case m is 
the product of many "small" primes. We require that m be superpolynomial here. 

^a scalar in KSW and a matrix in AFV 

" ffl denotes a pairwise sum of the ciphertext components in both schemes 




While there are motivating scenarios for aggregation on the attributes, in many cases it is adequate or 
preferable to restrict evaluation to ciphertexts with matching attributes; that is, by means of the 6 operation 
defined in Section 13.31 Among these cases is anonymous IBE. In the next section, we introduce an IBE 
construction that supports an unbounded XOR homomorphism, prove that it is strongly homomorphic and 
then investigate anonymous variants. 

5 Main Construction: XOR-Homomorphic IBE 

In this section, an XOR-homomorphic IBE scheme is presented whose security is based on the quadratic 
residuosity assumption. Therefore, it is similar in many respects to the Goldwasser-Micali (GM) cryptosys- 
tem [6], which is well-known to be XOR-homomorphic. Indeed, the GM scheme has found many practical 
applications due to its homomorphic property. In Section [3 we show how many of these applications benefit 
from an XOR-homomorphic scheme in the identity-based setting. 

Out construction derives from the IBE scheme due to Cocks [17] which has a security reduction to the 
quadratic residuosity problem. To the best of our knowledge, a homomorphic variant has not been explored 
to date. 

5.1 Background 

Let m be an integer. A quadratic residue in the residue ring is an integer x such that x = mod m 
for some y € Z^. The set of quadratic residues in is denoted QR(m). If m is prime, it easy to determine 
whether any x £ is a quadratic residue. 



Let N = pq he a. composite modulus where p and q are prime. Let x ^ L We write — I to denote 



the Jacobi symbol of x mod N . The subset of integers with Jacobi symbol -1-1 (resp. -1) is denoted Z7v[+1] 
(resp. Zjv[— 1]). The quadratic residuosity problem is to determine, given input (N.,x e Z7v[+1]), whether 
X G QR(A^), and it is believed to be intractable. 

Define the encoding v : {0, 1} — { — 1, 1} with i^(0) — 1 and i>{l) = — 1. Formally, v is a group isomorphism 
between (Z2,-f) and ({ — 1,1},*). 

In this section, we build on the results of 25_ and therefore attempt to maintain consistency with their 
notation where possible. As in [25], we let H : {0, 1}* — Z^[-|-l] be a full-domain hash. A message bit is 
mapped to an element of { — 1, 1} via as defined earlier (0 (1 resp.) is encoded as 1 (-1 resp.)). 

5.2 Original Cocks IBE Scheme 

- CockslBE.Setup(l^): 

1. Repeat: p,q ^ RandPrime(l ) Until: p = q = 3 (mod 4) 

2. N ^pq 

3. Output (PP := TV, MSK := (p, q)) 

- CockslBE.KeyGen(PP,MSK,ID): 

1. Parse MSK as (p, g). 

2. a ^ iJ(ID) 

3. r 4— a s (mod N) 

(.-. = a (mod N) or = —a (mod N)) 

4. Output sk|D := (ID,r) 

- CockslBE.Encrypt(PP, ID,&): 

1. a ^ H{\D) 

2. ti,t2^Z^[i.(6)] 

3. Output ip :— {ti + at^^ ,t2 — at2^) 

- CockslBE.Decrypt(PP,sk|D, V^): 

1. Parse i/' as (i/'i, 

2. Parse sk|D as (ID,r) 

3. a^i?(ID) 




4. li = a (mod iV), set d ^ tpi. Else if = ~a (mod N), set d ^ ip2- Else output _L and abort. 

5. Output ^-i((^)) 

The above scheme can be shown to be adaptively secure in the random oracle model assuming the 
hardness of the quadratic residuosity problem. 

Anonymity Cocks' scheme is not anonymous. Boneh et al. [37] report a test due to Galbraith that enables 
an attacker to distinguish the identity of a ciphertext. This is achieved with overwhelming probability given 
multiple ciphertexts. It is shown by Ateniese and Gasti [25 that there is no "better" test for attacking 
anonymity. Briefly, let a = -ff(ID) be the public key derived from the identity IDg. Let c be a ciphertext in 
the Cocks' scheme. Galbraith's test is defined as 



GT(a,c,iV) = 




Now if c is a ciphertext encrypted with a, then GT{a,c, N) = +1 with all but negligible probability. For 
b e such that b a, the value GT{b,c, N) is statistically close to the uniform distribution on {—1,1}. 
Therefore, given multiple ciphertexts, it can be determined with overwhelming probability whether they 
correspond to a particular identity. 



5.3 XOR-homomorphic Construction 

Fix some a £ QM(7V), and let r'^ = a (mod N). For some b G {0,1}, set ip CockslBEEncrypt(a, fe). To 
attain the homomorphic property, we need to represent each "component" of "0 by a pair of elements in Z^v 
instead of a single element. Thus, we have ip' = (ci, C2, di, G x Z^. However, we will omit the second 
pair in the following discussion because all properties hold analogously (a is replaced by —a and a different 
choice of r is employed that satisfies = —a (mod )). Thus, ciphertexts are considered as elements of Z^. 
Consider the following the encryption algorithm Ea defined by 
Ea{b: {0,1}): 

return (t + at"\ 2) g Z^ 

Define Da{c) ~ j/~^(ci + rc2). The homomorphic operation ffl : Z'j^ x Zj^ Z^ is defined as follows: 

c ffl d = (cidi + ac2C?2, cid2 + C2di) (5.1) 
It is easy to see that Da{c ffl d) = Da{c) Da{d): 

Da{c ffl d) = Da{{cidi + 002^2, 01^2 + C2di)) 

= i^^"^((cirfi + ac2d2) + r{cid2 + C2di)) 
= v^^{cidi + rcid2 + rc2di + r^C2d2) 
= v-^{{ci+rc2){di+rd2)) 
= u-^{ci + rc2) ® v^'^idi + rd2) 

= Da{c)®Da(d) (5.2) 

Let Ra — Zjv[a;]/(a;^ — a) be a quotient of the polynomial ring R = 'Li^[x\. It is more natural and 
convenient to view ciphertexts as elements of Ra and the homomorphic operation as multiplication in Ra- 
Furthermore, decryption equates to evaluation at the point r. Thus the homomorphic evaluation of two 
ciphertext polynomials c{x) and d{x) is simply e{x) = c{x) * d{x) where * denotes multiplication in Ra- 
Decryption becomes v~^{e{r)). We now formally describe our first variant of the Cocks scheme that supports 
an XOR homomorphism. 



Remark 4- We have presented the scheme in accordance with Definition [5] for consistency with the rest of 
the paper. Therefore, it uses the circuit formulation, which we would typically consider superfluous for a 
group homomorphic scheme. 

Let C C Z2 — ?► Z2 ^ {x i-^- (t, x) : X e Z|} be the class of arithmetic circuits characterized by linear 
functions over Z2 in £ variables. As such, we associate a representative vector V{C) G to every circuit 
C € C. In order to obtain a strongly homomorphic scheme, we use the standard technique of re-randomizing 
the evaluated ciphertext by homomorphically adding an encryption of zero. 

- xhlBE.Encrypt(PP, ID,6): 

1. H{\D) 

2. As a subroutine (used later), define 
E{PP,a,b): 

(a) tut2 ^ Z%[iy{b)] 

(b) 51,32 ^ 

(c) c{x) ^ {ti + agft^^) + 2gix € Zn[x] 

(d) d{x) ^ (<2 + agjt^^) + 2g2X € Zn[x] 

(e) Repeat steps 1-4 until GT(a, c{x)) = 1 and GT(— a, d{x)) — 1 (the function GT : i? — > { — 1, 0, 1} 
is defined below) 

(f) Output {c{x),d{x)) 

3. Output {E{PP,a,b),a) 

- xhlBE.Decrypt(PP,sk|D,c): 

1. Parse c as {c{x),d{x),a) 

2. Parse sk|D as (ID,r) 

3. lir^ = a (mod N) and GT(a, c{x)) = 1, set e{x) ^ c{x). Else if = —a (mod N) and GT(— a, c(x)) = 
1, set e{x) -s— d{x). Else output _L and abort. 

4. Output i.-i((^)) 

xhlBE.Eval(PP,C,V'i,---,V'^): 

1. Parse tf^i as {ci{x) , di{x) , ai) for 1 < i < ^ 

2. If flj 7^ aj for 1 < i, j < £, abort with _L. 

3. Let a — ai and let Ra = 1jn[x]/{x'^ — a) 

4. V{C) 

5. J 4- {1 < i < ^ : V, = 1} 

6. {c'{x), d'{x)) ^ iHiej Ci{x) mod (x^ - a), Hie/ di{x)) mod (a;^ -|- a) 

7. (02(0:), (a;)) ^ £^(PP, a, 0) (i? is defined as a subroutine in the specification of xhlBE. Encrypt) 

8. Output {c'{x) * Cz{x) mod (x^ — a),d'{x) * dz(x) mod (x^ -I- a), a). 

We now prove that our scheme is group homomorphic and strongly homomorphic. A formalization of 
group homomorphic public- key schemes is given in |38| . Our adapted definition for the PE setting raises some 
subtle points. The third requirement in |38j is more difficult to formalize for general PE; we omit it from the 
definition here and leave a complete formalization to the full version. We remark that this property which 
relates to distinguishing "illegitimate ciphertexts" during decryption is not necessary to achieve IND-ID-CPA 
security. 

Definition 8 (Adapted from Definition 1 in [38j). Let £ — {G,K,E,D) be a PE scheme with message 
space M , attribute space A, ciphertext space C and class of predicates T . The scheme £ is group homomorphic 
with respect to a non-empty set of attributes A' (- A if for every (PP, MSK) ^ G{1^), every f ^ T : A' Q 
supp(/), and every sky ^ ^(MSK, /), the message space (M, •) is a non-trivial group, and there is a binary 
operation □ : — > C such that the following properties are satisfied for the restricted ciphertext space 
C/-{ceC:i?sk,(c)^±}.- 

1. The set of all encryptions C := {c (z Cf | c -s— i?(PP,a, m),a G A',m € M} under attributes in A' is a 
non-trivial group under the operation □. 

2. The restricted decryption D*^^^ := D^Wfic is surjective and\/c,c' G C £'skj(cDc') = DsW[{c) ■ £'sk/(c')- 



3. IBE only (generalized in the full version) If £ is an IBE scheme, then Cf is also required to be a 
group, and it is required to be computationally indistinguishable from C; that is: 

{(PP, /, skf,S,c)\c^C,Sc {skg ^ K{g) : g e ^}} « {(PP, /, sk;, S,c)\c^Cf,Sc {skg ^ K{g) : g € 

Informally, the above definition is telling us that for a given subset of attributes A' satisfying a predicate 
/, the set of honestly generated encryptions under these attributes forms a group that is epimorphic to 
the plaintext group. It does not say anything about ciphertexts that are not honestly generated except in 
the case of IBE, where we require that all ciphertexts that do not decrypt to _L under a secret key are 
indistinguishable. 

For the remainder of this section, we show that xhlBE fulfills the definition of a group homomorphic 
scheme, and that it is IND-ID-CPA secure under the quadratic residuosity assumption in the random oracle 
model. To simplify the presentation of the proofs, additional notation is needed. In particular, we inherit the 
notation from 25 , and generalize it to the ring Ra- 

Galbratih's test is generalized straightforwardly: 



GT(a, c{x)) = 




Define the subset Ga C Ra as follows: 

Ga = {c{x) e Ra ■■ GT(a, c{x)) = 1} 

Define the subset Sa C cfl: 

Sa = {2hx +{t + ah^t-^) eGa\h, t, (t + ahh-^) e Z%} 
We have the following simple lemma: 
Lemma 1. 



1. {Ga,'*') is a multiplicative subgroup of Ra- 

2. (Sa,*) is a subgroup of Ga 

Proof. We must show that Ga is closed under *. Let c{x), d{x) G Ga, and let e{x) — c(x) * d{x). 

GT(a, e{x)) = 



N 

(cidi + ac2(i2)^ - a{cid2 + C2di)^ 
N 

{cl-acl){dl-adl) 
N 

{cl - acl)\ f{dl ~ adl) 



N J \ N 
= GT{a,c{x)) ■ GT{a,d{x)) 
= 1 

Therefore, e{x) £ Ga- 
it remains to show that every element of Ga is a unit. Let z = — acj G Zat. An inverse d2X + di of 
c{x) can be computed by setting di = — and ^2 — if it holds that z is invertible in Z^r. Indeed such a 



d2X + di is in Ga- Now if z is not invertible in Zjv then p\z or q\z, which implies that — j = or — j = 



'This definition is stricter than its analog in [25] insofar as all elements are in Ga- 



But GT(a,c{x)) — ( — ) — ( — )(-) =1 since c(x) £ Ga- Therefore, z is a unit in Z^v, and c(x) is a unit in 

Finally, to prove (2), note that the members of Sa are exactly the elements c{x) such that cf — c^a is a 
square, and it is easy to see that this is preserved under * in Ra- □ 

We will also need the following corollary 

Corollary 2 (Extension of Lemma 2.2 in [25j). The distributions {{N,a,t + ah'^t~^ ,2h) : N -f- 

Setup(l^), a ^ Z*j^[+l],t, h A Z*j^)} and {{N, a, Zi, Z2) : N ^ Setup(l^), a ^ Z*j^[+l],zi + Z2X ^ Ga\ Sa} 
are indistinguishable assuming the hardness of the quadratic residuosity problem. 

Proof. The corollary follows immediately from Lemma 2.2 in [25] Let A be an efficient adversary that 
distinguishes both distributions. Lemma 2.2 in [25 shows that the distributions Di := {{{N, a, t+at^^) : N 

Setup(l^),a ^ Z^[+l],i} and D2 := {(iV,a,zi) : N ^ Setup(l^),a ^ Z2X + zi ^ Ga\Sa\z2 = 2} 

are indistinguishable. Given a sample (N, a, c), the simulator generates h -s— and computes b h^-a. It 
passes the element {N, b, c, 2h) to A. The simulator aborts with the output of A. □ 

Theorem 1. xhlBE is a group homomorphic scheme with respect to the group operation of (Z2, +). 

Proof. Let a = H{id) for any valid identity string id. Assume that the secret key r satisfies r^ = a mod N. 
The analysis holds analogously if = —a mod N; therefore, we omit the second component of the cipher- 
texts for simplicity. 

By definition, Sa ~ {c(x) S Ra\c{x) ^ xh\BE.Encrypt{PP,a,m),m £ M} (recall that we omit the first 
ciphertext component). The subset of Ra that forms the distinguishable ciphertext space associated with a 
is Ga (the decryption algorithm outputs _L on input c{x) such that c{x) ^ Ga), since by Corollary [2l Sa ~ Ga 

without the master secret key. Thus, Sa corresponds to C and Ga corresponds to mathcalG / in Definition 
[H It follows that the third requirement of this definition is satisfied. 

By Lemma [U Ga is a group and Sa is a non-trivial subgroup of Ga. The surjective homomorphism 
between £ := 5*^ and M :— Zj has already been shown in the correctness derivation in equation 15.21 This 
completes the proof. □ 

Remark 5. It is straightforward to show that xhlBE also meets the criteria for a shift-type homomorphism 
as defined in [38|. 

Corollary 3. xhlBE is strongly homomorphic. 

Proof. Any group homomorphic scheme can be turned into a strongly homomorphic scheme by rerandom- 
izing an evaluated ciphertext. Indeed this follows from Lemma 1 in [38j . Rerandomization is achieved by 
multiplying the evaluated ciphertext by an encryption of the identity, as in xhlBE. Evaluate. Details follow 
for completeness. 
Let 

{c'{x),d'{x), a) ^ xhlBE.Eval(PP, C, V'l, ■ • • , V'^) 
for any C £ C and any ^ xhlBE.Encrypt(PP, 61, id), . . . , xhlBE.Encrypt(PP, &£, id). From the last 

step of xh I BE. Eva I, we see that c'{x) -s— c"{x) * r{x) where r{x) 4^ Sa^'^^ and c"{x) is the result of the 
homomorphic evaluation. Suppose that c"{x) encrypts a bit b. Since Sa is a group, it follows that c'{x) is 
uniformly distributed in the coset s'i'^ (of the subgroup S^'^ ) and is thus distributed according to a "fresh" 
encryption of b. □ 

Theorem 2. xhlBE is IND-ID-CPA secure in the random oracle model under the quadratic residuosity 
assumption. 

Proof. Let A be an adversary that breaks the IND-ID-CPA security of xhlBE. We use A to construct an 
algorithm S to break the IND-ID-CPA security of the Cocks scheme with the same advantage. S proceeds 
as follows: 



1. Uniformly sample an element h -s— Z^. Receive the public parameters PP from the challenger C and pass 
them to A. 

2. S answers a query to H for identity id with H'{\d) ■ h^^ where H' is 5's random oracle. The responses 
are uniformly distributed in Z7v[+1]- 

3. S answers a key generation query for id with the response _ftr(id) • h^^ where K is its key generation 
oracle. 

4. When A chooses target identity id*, S relays id* to C. Assume w.l.o.g that H has been queried for id, 
and that A has not made a secret key query for id*. Further key generation requests are handled subject 
to the condition that id ^ id* for a requested identity id. 

5. Let a = _ff(id*). On receiving a challenge ciphertext (c, d) from C, compute c{x) -s— 2hx + c G i? and 

d{x) {2hx + d) * r{x) € R where r{x) ^ and is the second component of the set of legal 

encryptions of 0. From corollary [3l d{x) is uniformly distributed in S'l''^ where the ciphertext (c, o?) in 
the Cocks scheme encrypts the bit b. It follows that {c{x),d{x)) is a perfectly simulated encryption of b 
under identity id* in xhlBE. Give {c{x),d{x)) to A. 

6. Output ^'s guess 6'. 

Since the view of A in an interaction with S is indistinguishable from its view in the real game, we 
conclude that the advantage of S is equal to the advantage of A. 

a 

In the next section, attention is drawn to obtaining an anonymous variant of our construction. 
6 Anonymity 

Cocks' scheme is notable as one of the few IBE schemes that do not rely on pairings. Since it appeared, there 
have been efforts to reduce its ciphertext size and make it anonymous. Boneh, Gentry and Hamburg |28j 
proposed a scheme with some elegant ideas that achieves both anonymity and a much reduced ciphertext size 
for multi-bit messages at the expense of performance, which is O(n^) for encryption and 0{n^) for decryption 
(where n is the security parameter). Unfortunately the homomorphic property is lost in this construction. 

As mentioned earlier (cf. Section r5.2p . another approach due to Ateniese and Gasti i2"5] achieves anonymity 
and preserves performance, but its per-bit ciphertext expansion is much higher than in |28| . However, an 
advantage of this scheme is that it is universally anonymous (anyone can anonymize the message, not merely 
the encryptor [2?). 

On a downside, anonymizing according to this scheme breaks the homomorphic property of our con- 
struction, which depends crucially on the public key a. More precisely, what is forfeited is the universal 
homomorphic property mentioned in the introduction (i.e. anyone can evaluate on the ciphertexts without 
additional information). There are applications where an evaluator is aware of the attribute(s) associated 
with ciphertexts, but anonymity is desirable to prevent any other parties in the system learning about such 
attributes. This motivates a variant of HPE, which we call non-universal HPE, denoted by HPEp. 

6.1 Non-Universal HPE 

The main change in syntax entails an additional input a that is supplied to the Eva I algorithm. The input 
a e {0, 1}'' (where d = poly{\)) models the additional information needed to compute the homomorphism(s). 
A description of an efficient map Qa ■ A — {0, l}'^ is included in the public parameters. 

We now formulate the security notion of attribute-hiding for non-universal HPE. Our security model 
provides the adversary with an evaluation oracle whose attribute-dependent input a is fixed when the 
challenge is produced. Accordingly, for a challenge attribute a G A, and binary string a = Qa{o) € {0, 1}'', 
the adversary can query HPEQ.Eval(PP, a, •, •) for any circuit in C and any ^-length sequence of ciphertexts. 
Formally, consider the experiment 

Experiment OPriv(^i, ^2)0 



^'In the random oracle model, the adversary is additionally given access to a random oracle. This is what the 
results in this paper will use 



(PP,MSK) ^ HPE.Setup(l^) 

(ao,mo), (ai,mi),CT -s— (^pp^ > cr denotes the adversary's state 

bA{0,l} 
a ^ QA{ab) 

c ^ HPE.Encrypt(PP, a^, rrib) 

^, ^ ^HPEo.KeyGen-(MSK, ),HPEo.Eval(PP,a,. )^pp ^ 

return 1 iff 6' = 6 and otherwise. 

Define the advantage of an adversary A := {A1.A2) in the above experiment for a HPE^/ scheme £ as 
foUows: 

Ad^r'i^"''{A) - Pr[UPm{A) ^ l] - ^• 

A HPEp scheme £ is said to be attribute- hiding if for all pairs of PPT algorithms A := (^1,^2), the 
advantage Adv^^'^" (A) of ^ < negl(A). Note that the above definition assumes adaptive adversaries, but 
can be easily modified to accommodate the non-adaptive case. 



6.2 Universal Anonymizers 

We now present an abstraction called a universal anonymizer. With its help, we can transform a universally- 
homomorphic, non-attribute-hiding HPE scheme £ into a non-universally homomorphic, attribute-hiding 
scheme £' . In accordance with the property of universal anonymity proposed in |24) . any party can anonymize 
a given ciphertext. 

Let £ := (Setup, KeyGen, Encrypt, Decrypt, Evaluate) be a HPE scheme parameterized with message space 
M, attribute space A, class of predicates and class of circuits C). Denote its ciphertext space by C. 

Definition 9. A universal anonymizer Us for a (H)PE scheme £ is a tuple {Q,B,B^^,Qa,Qt) where Q 
is a deterministic algorithm, B and B~^ are randomized algorithms, and Qa an-d Qj: are efficient maps, 
defined as follows: 

— Q{PP): 

On input the public parameter of an instance of £, output a parameters structure params. This contains 
a description of a modified ciphertext space C as well as an integer d — poly{X) indicating the length of 
binary strings representing an attribute class. 

— S(params, c).- 

On input parameters params and a ciphertext c £ C, output an element of C. 

— iS"-*^ (params, a, c).- 

On input parameters params, a binary string a G {0, 1}'^ and an element of C, output an element of C 

— Both maps Qa and Qjr are indexed by params.- QAparams '■ A^ {0, 1}'* and Q^p^rams '■ ^ ^ {0, 1}'' 

Note: params can be assumed to be an implicit input; it will not be explicitly specified to simplify notation. 

The binary string a is computed by means of a map Qa ■ A ^ {0,1}''. In order for a decryptor to invert 
B, a must also be computable from any predicate that satisfies an attribute that maps onto a. Therefore, 
there is a map Qjr ; J' {0, 1}'' with the property that for all a G A and / G T: 

f{a) = 1 ^ QA{a) = QAf)- 

This implies an equivalence relation ^ on defined by 

fl-f2 SUpp(/i)nsUpp(/2) 7^0. 

It follows that each a is a representative of an equivalence class in J-/ ^. Clearly, \J-/ ~ | = in the 
context of IBE. 

Let c be a ciphertext associated with an attribute a. Let a — (5^(a). Informally, c' := B^^{a,B{c)) 
should "behave" like c; that is, (1) it should have the same homomorphic "capacity" and (2) decryption 
with a secret key for any / should have the same output as that for c. A stronger requirement captured in 



our formal correctness criterion in Appendix |X] is that c and c' should be computationally indistinguishable 
even when a distinguisher is given access to MSK. 

A universal anonymizer is employed in the following generic transformation from a universally-homomorphic, 
non-attribute-hiding HPE scheme £ to a non-universally homomorphic, attribute- hiding scheme £' . 

The transformation is achieved by setting: 

- £'.Encrypt(PP, a, to) := 

6(£'.Encrypt(PP,a,m)) 

- £'.Decrypt(SK/,c) 

f.Decrypt(SK/,6-i(g^(/),c)) 

- f'.Eval(PP,/,C,ci,...,c,) 

a ^ QAf) 

return 6(£:.Eval(PP, C, B-^{a, ci), . . . , B'^a, a))) 

Denote the above transformation by Tui,{£). We leave to future work the task of establishing (generic) 
sufficient conditions that £ must satisfy to ensure that £' := Tug(£) is an attribute-hiding HPEp scheme. 
An instantiation of a universal anonymizer for our XOR homomorphic scheme is given in the appendix. 

7 Applications (Sketch) 

It turns out that XOR-homomorphic cryptosystems have been considered to play an important part in 
several applications. In this section, we look at how an identity-based XOR-homomorphic cryptosystem 
may be of import in many of these application scenarios. The most well-known and widely- used unbounded 
XOR-homomorphic public-key cryptosystem is Goldwasser-Micali (GM) '6', which is based on the quadratic 
residuosity problem. In this discussion, we do not consider bounded XOR-homomorphic schemes such as 
variants of lattice-based IBE constructions (for example 

7.1 Sealed-Bid Auctions 

Peng, Boyd and Dawson (PBD) [40] propose a sealed-bid auction system that makes extensive use of the 
GM cryptosystem. Without elaborating on the intricacies of sealed-bid auctions, it can be readily seen that 
an XOR-homomorphic IBE scheme may be desirable in this scenario. In the PBD auction protocol, there 
are m auctioneers Ai, . . . , Am and n bidders Bi, . . . , i?„, and L prices pi, . . . ,pl- Each auctioneer Ai has her 
own public key PK^ for the GM scheme A broadcast channel, referred to as a bulletin board, is assumed to 
be available. Central to the protocol is that each bidder Bi sets bij <— {0, 1} (resp. {NO, YES}) according to 

$ 

whether he is prepared to pay price pj. Then for 1 < fc < m, he randomly samples 6i.j,fc <— {0, 1} conditioned 
on bij — YlT=i^i,j,k- Then for 1 < fc < m, he encrypts Ck ■= with public key PK^ and publishes 

ci , . . . , Cm to the bulletin board. 

In practice, one might expect Ai, . . . , Am to be members of independent well-established auctioneer firms. 
The advantage of IBE in this context is that it enables each bidder (and the other auctioneers alike) to derive 
an auctioneer's public key from her presented/known identity and the known public parameters of her agency. 
Alternatively, the bidders may encrypt with an attribute related to the auction in question, and successful 
decryption relies on whether the auctioneer has been authorized (i.e. issued the corresponding secret key) by 
her agency. Moreover, this may also simplify auditing, accountability and key management for the agency. 
As a result, it seems that our XOR-homomorphic construction may be of benefit in this scenario. 

There are some caveats however to be considered. PBD depends on zero-knowledge proofs of correct 
decryption in order to provide public verifiability of an auction. While this is still possible for our construction, 
it is not as technically straightforward or as efficient as it is for GM. 

With regard to performance, our construction requires 8 multiplications in Zjv for a single homomorphic 
operation in comparison to a single multiplication in GM. Furthermore, the construction has higher ciphertext 
expansion than GM by a factor of 4. Encryption involves 2 modular inverses and 6 multiplications (only 4 
if the strongly homomorphic property is forfeited). In comparison, GM only requires 1.5 multiplications on 
average. On the plus side, there may be bandwidth savings in terms of key storage. 



7.2 Private Information Retrieval 



GM and other additively homomorphic schemes such as Pailher have been used as building blocks for Private 
Information Retrieval (PIR) protocols. In a PIR system where the sender and receiver are different parties 
and IBE is employed to derive the receiver's public key, a homomorphic IBE scheme is not required. Instead, 
the sender generates a key-pair for public-key additively homomorphic cryptosystem and encrypts it using 
the receiver's identity in the IBE scheme. As usual, where there are multiple independent senders, and 
homomorphic computation must take place, then a homomorphic IBE scheme is necessary. 

Consider two parties A and B who independently query a database D for items -D[qA] and -D[(Zb] respec- 
tively. The goal is that if D[qA] = D[qB], then x := D[qq] is to be forwarded to another party C. Otherwise, 
a random item is to be forwarded to C (which will fail a validity check and thus signify the mismatch to C). 
Furthermore, D should not be able to learn which item was queried by either party. Its task is to retrieve both 
items and "blindly" compare them. D remains oblivious as to what is forwarded to C. If key management 
in the system is to be identity-based, then an XOR- homomorphic IBE scheme appears to be a suitable fit. 

7.3 Biometrics 

Bringer et al. [41j apply GM to biometric authentication. It is used in two primary ways; (1) to achieve PIR 
and (2) to assist in computing the hamming distance between a recorded biometric template and a reference 
one. Their system is comprised of three entities on the server side that are assumed to be semi-honest. 
Roughly speaking, the chief security goal is to ensure that no single entity can match a biometric template 
to an identity. XOR-honiomorphic IBE might be a useful tool for extensions of this protocol. In particular, 
an anonymous (even to the trusted authority) and universal XOR-homomorphic scheme would open up some 
new possibilities, especially in a system with multiple independent non-interacting sensors that contribute 
biometric data. Such a scheme is left as an open problem. 

8 Conclusions and Future Work 

We have presented a characterization of homomorphic encryption in the PE setting and classified schemes 
based on the properties of their attribute homomorphisms. Instantiations of certain homomorphic properties 
were presented for inner-product PE. However, it is clear that meaningful attribute homomorphisms are 
limited. We leave to future work the exploration of homomorphic encryption with access policies in a more 
general setting . 

In this paper, we introduced a new XOR-homomorphic variant of the Cocks' IBE scheme and showed that 
it is strongly homomorphic. However, we failed to fully preserve the homomorphic property in anonymous 
variants; that is, we could not construct an anonymous universally-honiomorphic variant. We leave this as 
an open problem. As a compromise, however, a weaker primitive (non-universal HPE) was introduced along 
with a related security notion. Furthermore, a transformation strategy adapted from the work of Ateniese 
and Gasti j25] was exploited to obtain anonymity for our XOR-homomorphic construction in this weaker 
primitive. Moreover, the main ideas therein were generalized to the PE setting. 

In future work, it is hoped to construct other group homomorphic IBE schemes, and possibly for more 
general classes of predicates than the IBE functionality. 

Noteworthy problems, which we believe are still open: 

1. Somewhat-homomorphic IBE scheme (even non-adaptive security in the ROM) 

2. (Unbounded) Group homomorphic IBE schemes for (Z^, -|-) where m = 0(2^) and (Z*, *) for prime p. 
Extensions include anonymity and support for a wider class of predicates beyond the IBE functionality. 

A Correctness Condition for a Universal Anonymizer 

Let £ be a H(PE) scheme with public index, and let Ug := {G, B, B^^, Qa, Qj^) be a universal anonymizer for 

£. Define the distributions Di {(PP, MSK, params, c)|(PP, MSK) ^ £'.Setup(l^), params ^ g(PP),c ^ C} 

andDz {(PP, MSK, params, c')|(PP, MSK) ^ £.Setup(l^), params ^ g{PP),c^ C,c' ^ B~\QAi3ttr{c)),B{ 
where attr(c) returns the attribute associated with c. The correctness condition for a universal anonymizer 
Us is that Di sa D2 (computationally indistinguishability) . 



B Instantiation of a Universal Anonymizer for Main Construction 



The techniques from [2 5) can be employed to construct a universal anonymizer for xhlBE. In this paper, the 
basic version of their construction is adapted. 

Let L{X) be the maximum bit-length of identities in xhlBE. A universal anonymizer AGxhiBE ■= {^^xMBE-G , AGxhi 
H{id) for xhlBE based on the techniques of Ateniese and Gasti is given as follows: 

Let Geom(p) be a geometric distribution with parameter p. 



Algorithm 1 AGxhiBE 


.^(PP) 




m A 

params := (2m + 2, loj 
return params 


rN) 


t> (length of C, length of a) 




Algorithm 2 AGxhiBE 


.S(params, tjj) 





Parse params as (m,L) 
Parse t/i as {c{x) , d{x) , a) 

ki,k2 ^ Geom(i) 

t{x),v(x) ^ Zn[x] 
zi{x) <— c{x) + t{x) 
Z2{x) <— d{x) + v{x) 
for 1 < i < fci do 
repeat 

ti{x) ^ 1,n[x] 
until GT(a, Zi (x) — ti{x), N) = —1 
end for 
tfei zi(x) 
for 1 < i < ^2 do 
repeat 

Vi{x) ^ Zn[x] 
until GT(— a, 2:2(2;) — Vi{x),N) = — 1 
end for 

Vk2 Z2(x) 

for ki < i < rn do 

ti{x) ^ Zn[x] 
end for 

for k2 < i < m do 
Vi{x) <— Zn[x] 
end for 

return ?^ := ({zi(x),ti(x), . . . ,tm{x)), 

{Z2(x),vi{x), . . . ,Vm{x))) G ZivH^™ 



Let the set of valid ciphertexts C be defined as {{c{x) , d{x) , a) € I^mIxY ^ '^n ■ c{x) G Ga,d{x) € G^a}- 
Then for any (PP, MSK) xhlBE.Setup(l^) and params f- AGxhiBE-^(PP): the correctness condition in 
Appendix \X\ is trivially satisfied since Vt/; :— {c{x),d{x),a) G C 

= AGxhiBE.6"'(a, AGxhiBE.-BW) 

We can apply the transformation 

xhlBE' ^ rAG,MBE(xhlBE) 



Algorithm 3 AGxhiBE-'S ^(params, a, t^) 

Parse params as {m,L) 

Parse as {{zi{x),ti{x), . . . ,tm{x)), 

{z2{x),vi (a;),...,um(a;))) 
i ^ 1 

while GT (a, ti{x) — z-i{x), N) 7^ 1 do 

i •<— i + 1 
end while 

c{x) <r- ti{x) - zi{x) 
i ^ 1 

while GT(— a, Vi(x) — Z2{x), N) 7^ 1 do 

j i + 1 
end while 

d{x) •(— Vi{x) - Z2(x) 

return {c{x) , d(x) , a) 



described in the last section to obtain a scheme xhlBE'. The scheme in [SS] is shown to satisfy a security 
definition (ANON-IND-ID-CPA) in the random oracle model that is stronger than the attribute-hiding 
definition for IBE in the random oracle model. It can be easily shown with the help of Corollary [2] that 
xhlBE' is an attribute-hiding HPE^j scheme for the IBE functionality supporting the group homomorphism 

(Z2,+). 
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